USB security token login AS SYSDBA Purpose FCBGuard software provides the ability to prevent unauthorised AS SYSDBA login to a database. This is implemented via mandatory USB security key/token/card (call it any way you like it) login. In order to successfully perform an AS SYSDBA login, database administrator must have a properly configured and database-registered USB security key. Without such a key, any attempt to log in will result in a process kill. The main purpose of the above is to prohibit the root user from being oracle and connecting to the database. pre-FCBGuard epoch :) # whoami root # su - oracle # sqlplus "/ as sysdba" Do you consider the situation above is normal? From a security perspective, I'd say it's hardly normal. From the other side, there are only a few doubtful well known ways to prevent it: a. Database administrator takes full responsibility of system administrator. This way contradicts the "separation of duties" principle. b. Use threads. Starting with Oracle Database 12c, the multithreaded Oracle model allows Oracle processes on UNIX and Linux to run as operating system threads in separate address spaces. When the THREADED_EXECUTION initialization parameter is set to TRUE, which enables the multithreaded Oracle model, operating system authentication is not supported. Attempts to connect to the database using operating system authentication (for example, CONNECT / AS SYSDBA or CONNECT / ) when this initialization parameter is set to TRUE results in an ORA-01031 "insufficient privileges" error. Can anyone share info what benefits can be gained by using THREADED_EXECUTION=true? How it works. So, if to leave for root what belongs to root and not to touch THREADED_EXECUTION, the FCBGuard software has been created in order to: A. fail any pseudo-authorised AS SYSDBA database connection attempts: [root@databasehost ~]# whoami root [root@databasehost ~]# su - oracle Last login: Fri Feb 10 17:22:37 EST 2023 on pts/1 [oracle@databasehost ~]$ sqlplus / as sysdba SQL*Plus: Release 19.0.0.0.0 - Production on Fri Feb 10 17:22:57 2023 Version 19.3.0.0.0 Copyright (c) 1982, 2019, Oracle. All rights reserved. Broadcast message from oracle@databasehost (Wed Feb 15 11:17:05 2023): Unauthorised SYSDBA login attempt detected to dbname@databasehost Killed [oracle@databasehost sql]$ rman target / Recovery Manager: Release 19.0.0.0.0 - Production on Mon Feb 20 11:18:51 2023 Version 19.3.0.0.0 Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved. Broadcast message from oracle@databasehost (Mon Feb 20 11:18:51 2023): Unauthorised SYSDBA login attempt detected on dbname@databasehost Killed [oracle@databasehost sql]$ B. authentify a "real" DBA using a USB security key and to allow to connect to a database [oracle@databasehost sql]$ sqlplus sysproxy/sysproxy @${DATA_PUMP_DIR}/fcbguard.sql << this file is auto generated when SYSPROXY user logs in SQL*Plus: Release 19.0.0.0.0 - Production on Fri Feb 10 18:03:29 2023 ... dba@host-where-USB-security-token-is-prsent's password: << here a SSH connection is established to a remote/local host where a USB security token is present Using reader with a card: Yubico YubiKey OTP+FIDO+CCID 00 00 << USB security token is detected PKCS#15 Card [Oracle login as SYSDBA]: Version : 0 Serial number : 534xdsdfsdc9asdfasdf Manufacturer ID: piv_II Flags : Logging in to "Oracle login as SYSDBA". Please enter User PIN: << a correct USB security token PIN is expected Using decrypt algorithm RSA-PKCS Sdf34rsdfee23423 Connection to 192.168.50.219 closed. 847 FCBGuard v.21.12.701 (c) 2023 Olexandr Siroklyn. All rights reserved. Connected. USER is "SYS" SQL> Requirements. a. A UNIX host where free OpenSC software is installed, fully functional and your USB security key can be operated in read-only mode by the OpenSC software. b. That UNIX host must be available via SSH. c. A USB security key. Taglio PIVKey T600, Feitian ePass2003 and Yubikey 5c have been tested succesfully. Yubikey is the best choice if you don't mind the price. The USB security key must be proper configured, i.e. x509 certificate is generated and stored, and, therefore, public and private keys are present as well. d. A UNIX based Oracle database. On-premise or cloud installation. Any edition and any version (12c and higher) where Java subsystem is available. Restrictions. A free light version of the FCBGuard software is available for download and has the following limitations: 1. Only one USB security key can be active and used during connect, i.e. only one AS SYSDBA person can be connected locally. No restrictions for AS SYSDBA remote connections. 2. Reaching initial nomount, mount, upgrade and open database stages are possible without presence of a USB security key License. FCBGuard is a free, partialy closed software. You can use it in any way you like preserving copyright notice. And last, but not least. If USB security token is lost or broken it's not a fatal event, because remote, via listener, AS SYSDBA login remains always available. Thanks. P.S. If you think that it would be good for you to have more FCBGuard features, please feel free to contact me.